A comparison of /tmp, swap and encryption install time options

Research and document by Mark Krenz
Created: April 11th, 2012
Last update: May 14th, 2013

Summary

On this page I document the results of my research into the default, custom and encryption options for many of the most popular distributions of Linux and the BSDs. I tried my best to include a few versions of some of the most popular ones to show any change in policy. However, I didn't have enough time to install all of them in every combination nor fully install X on some of the distributions. You are most certainly welcome to e-mail me updates to the tables below.

This research is related to the report about the libvte scrollback problem with terminal data being written to disk. After releasing that report, there were several "knowledgeable people" who made uninformed comments such as "most distributions put /tmp on tmpfs by default anyways". This is obviously not true unless you are using the latest version of Arch or unless you have selected an advanced option during install on Mageia or PC Linux OS. Not even Gentoo mentions it in their Handbook or Quick Install Guide. Slackware makes no mention of it in their website. Apparently people missed the memo on tmpfs, the notice about it was on display in the basement of the planning office for the last nine months behind a locked door. ;-)

The focus of this research was on what happens when you choose the default installation options, not what you can do after installation. I think any distribution allows you to install tmpfs after install. For some distributions, I also went on and tried a custom and encrypted install to see the results there. Except for the ones mentioned above, no distribution offered tmpfs as an option during the partitioning stage and anyone who has tmpfs would have had to add it post installation.

Most distributions also default to using gnome-terminal or some other libvte based terminal and I was surprised how many don't offer any other options, such as the xterm. This is a disturbing trend and I'm not sure what the reason is for not including xterm when historically it's always been the most basic terminal option available. xterm is also the most fully capable terminal emulator there is. Sabayon Linux not including vi by default is also just plain weird. I filed a bug report and they said they won't fix it.

Thoughts on tmpfs

In theory tmpfs makes sense but it isn't always a good thing if you're a desktop user. However, I think some people turn it on without completely thinking about the potential consequences. Many GUI programs are designed to recover documents from crashes (ie, Audacity, OpenOffice). Many people like this feature. Probably far more than the number of people who would like to use tmpfs. By default Audacity stores its' data in /tmp and recovers from there in a crash. If someone's system crashed, it would mean losing that recovery data, which I'm sure is not what they wanted to happen.

If you are thinking about turning on tmpfs, you should exercise caution and consider how you use your system and how the programs you use would be affected by losing the data there across a reboot or crash.

One other consideration is that tmpfs is not a perfect solution to fixing the problem of terminal scrollback data being written to /tmp because it is possible for tmpfs data to be swapped out to disk if the kernel decides to do so. Chances are if you're using swap space on your system and run low on memory that your terminal itself may have pages swapped out to disk anyways, but nevertheless it's an issue to consider.

Thoughts on encryption

Encryption is a good thing generally, but I can understand why distributions don't default to having it turned on. Support would be a nightmare for one. No way to recover in the event you forget your password. So it's more of a power user thing than something that should be a default and enforced upon people. In a recent Slashdot poll with 25,813 responses that dated 2011-11-21, it showed that over 49% of people admitted to not encrypting their drives. Slashdot is a subset of geeks and power users on the Internet and has a long history of holding single question polls that help to reveal the geek status quo. In the survey, only 12% of the respondents admited to encrypting more than just their home directory, meaning no more than 12% encrypted their /tmp filesystem. Ubuntu, which is probably the most popular distribution of Linux, only offers a home directory encryption option upon installation.

Encryption of your swap partition is a bit of a no brainer and I can think of no excuse for not using it by default. You should still wipe its' contents along with the drive itself when you're done with it though.

Conclusion

So in conclusion, given that the majority of people are not using tmpfs or encryption and the most popular terminal installed is gnome-terminal, the data breach presented by the flaw in libvte is quite significant and users need to be made aware of it.

Result data

Below are the results of installing distributions in virtual machines and some notes during and after the install process. Boldface in the "Terminals available by default" column indicates the terminals that are available in the menu system. A ? means I didn't fully check. Sorry.

Installation options for some of the most popular distributions of Linux and BSD
Default installs (what most people probably choose)
Distro Version Has VTE flaw /tmp on tmpfs /tmp encrypted swap encrypted tmpfs available Terminals available by default Notes
Arch 2010.05 ? NO NO NO YES Didn't install X because it's not on CD and this is an old version.
Arch 2011.08 YES YES NO NO YES xterm Installed gnome seperately
CentOS 5.8 NO NO NO NO YES gnome-terminal, xterm, uxterm
CentOS 6.0 YES NO NO NO YES gnome-terminal
CrunchBang 10-20120207 YES NO NO NO YES terminator
Debian 5 NO NO NO NO YES gnome-terminal
Debian 6 YES NO NO NO YES gnome-terminal
Fedora 12 YES NO NO NO YES gnome-terminal
Fedora 14 YES NO NO NO YES gnome-terminal, ?
Fedora 16 YES NO NO NO YES gnome-terminal
Fedora 17alpha YES NO NO NO YES gnome-terminal, ?
Gentoo 2012-02-22 docs ? NO NO NO YES ?
Linux Mint 12 YES NO NO NO YES gnome-terminal, ?
Mageia 1 YES NO* NO NO YES gnome-terminal Has option to turn on tmpfs in GUI.
OpenSUSE 12.1 YES NO NO NO YES ?
PC Linux OS 2012.02 XFCE YES NO NO NO YES
Pinguy 11.04 YES NO NO NO YES gnome-terminal
Puppy Linux 5.2 ? NO NO N/A YES urxvt (libvte not installed by default)
RedHat 7.2 old NO NO NO NO NO Just for a fun comparison
Sabayon 7 YES* NO NO NO YES gnome-terminal, guake When I tried to read /proc/$PPID/fd/21 it said stale NFS file handle
Sabayon 8 YES* NO NO NO YES gnome-terminal, guake When I tried to read /proc/$PPID/fd/21 it said stale NFS file handle
Scientific 6.2 YES NO NO NO YES gnome-terminal Mostly like a Fedora install, so I didn't try the other install methods
Slackware 13.37 ? NO NO NO YES konsole, ? Didn't install gnome
TurboLinux 2008 client ? NO NO N/A YES konsole, ? Couldn't read it was all in Japanese.
Ubuntu 4.10 warty NO NO NO NO YES gnome-terminal, ? tmpfs available since as far back as 2004
Ubuntu 6.06 LTS Desktop NO NO NO NO YES gnome-terminal, ? 32-bit
Ubuntu 8.04 LTS Desktop NO NO NO NO YES gnome-terminal, xterm,koi8rxterm,lxterm,uxterm 32-bit
Ubuntu 9.04 Desktop NO NO NO NO YES gnome-terminal, xterm,koi8rxterm,lxterm,uxterm
Ubuntu 9.10 Desktop YES NO NO NO YES gnome-terminal, xterm,koi8rxterm,lxterm,uxterm
Ubuntu 10.04 LTS YES NO NO NO YES gnome-terminal
Ubuntu 10.10 Desktop YES NO NO NO YES gnome-terminal, xterm, lxterm, uxterm, koi8rxterm
Ubuntu 11.04 Desktop YES NO NO NO YES gnome-terminal, xterm, uxterm, lxterm, koi8rxterm Due to unity interface you kinda get 3 choices for term
Ubuntu 11.10 Desktop YES NO NO NO YES gnome-terminal, xterm, uxterm, lxterm, koi8rxterm
Ubuntu 11.10 Alternate YES NO NO NO YES gnome-terminal, xterm, uxterm, lxterm, koi8rxterm
Ubuntu 12.04 beta1 YES NO NO NO YES gnome-terminal, xterm, uxterm, lxterm, koi8rxterm
Ubuntu 13.04 Desktop YES NO NO NO YES gnome-terminal
OS Version Has flaw /tmp in memory /tmp encrypted swap encrypted mem backed avail Terminals available Notes
FreeBSD 9 ? NO NO NO YES ?
NetBSD 5.1.2 ? NO NO NO YES ?
OpenBSD 5.0 ? NO* NO YES YES xterm, ? OpenBSD's motto is "Secure by Default". This was a default install, it does clear /tmp on boot, but that only removes files
PC-BSD 9.0 YES* NO NO NO YES lxterminal, ? Instead of /tmp, the files are written to the /var partition

Custom Partitioning
Custom partioning and options installs (no encryption selected, but choose to manually partition and other options)
Distro Version Checked tmpfs choice available Swap encrypted Notes
Arch 2010.05 N ? ?
Arch 2011.08 N ? ?
CentOS 5.8 Y NO NO
CentOS 6.0 Y NO NO
CrunchBang 10-20120207 N ? ?
Debian 5 Y NO NO
Debian 6 Y NO NO
Fedora 12 N ? ?
Fedora 14 Y NO NO
Fedora 16 Y NO NO* It does provide the option to encrypt swap, but it's disabled by default.
Fedora 17alpha N ? ?
Gentoo 2012-02-22 docs Y YES* NO Its only available if you know about it. The only place it's mentioned in install docs is deep in the advanced docs, selinux/hardended install
Linux Mint 12 Y NO NO
Mageia 1 Y YES* NO If you choose "Clean /tmp at each boot" in the advanced options it turns on tmpfs for /tmp
OpenSUSE 12.1 Y NO NO
PC Linux OS 2012.02 XFCE Y NO NO
Pinguy 11.04 N* ? ? Looks to be the same results as Ubuntu. I tried, but the installer kept freezing up.
Puppy Linux 5.2 N ? ?
RedHat 7.2 old N ? ?
Sabayon 7 N ? ?
Sabayon 8 N ? ?
Slackware 13.37 Y NO NO
TurboLinux 2008 client N ? ?
Ubuntu 4.10 warty N ? ?
Ubuntu 6.06 LTS Desktop N ? ?
Ubuntu 8.04 LTS Desktop Y NO NO
Ubuntu 9.04 Desktop N ? ?
Ubuntu 9.10 Desktop Y NO NO
Ubuntu 10.04 LTS Y NO NO
Ubuntu 10.10 Desktop Y NO NO
Ubuntu 11.04 Desktop Y NO NO
Ubuntu 11.10 Desktop Y NO NO
Ubuntu 11.10 Alternate Y NO YES
Ubuntu 12.04 beta1 N ? ?
OS Version Checked tmpfs choice available Swap encrypted Notes
FreeBSD 9 N ? ?
NetBSD 5.1.2 N ? ?
OpenBSD 5.0 N ? ?
PC-BSD 9.0 N ? ?

Encrypted FS
Encrypted installs (note that none of the distributions I tested defaulted to encryption being enabled)
Distro Version Tried Enc Available Encryption defaults to enabled Encryption means LVM Encryption means homedir only /tmp encrypted Swap encrypted Notes
Arch 2010.05 N ? ? ? ? ? ?
Arch 2011.08 N ? ? ? ? ? ?
CentOS 5.8 N ? ? ? ? ? ?
CentOS 6.0 Y YES NO YES NO YES YES
CrunchBang 10-20120207
Debian 5 N ? ? ? ? ? ?
Debian 6 Y YES NO YES NO YES YES By default, it recommends all files on one partition, I choose to do seperate partitions
Fedora 12
Fedora 14 Y YES NO YES NO YES YES
Fedora 16 Y YES NO ? ? ? ? Installer crashed twice when I tried this, so I gave up
Fedora 17alpha N ? ? ? ? ? ?
Gentoo 2012-02-22 docs N ? ? ? ? ? ? Most likely, it's possible, I didn't check because of time involved
Linux Mint 12 Y YES NO NO YES NO YES
Mageia 1 Y YES NO YES* NO* YES YES Provides encryption options for LVM or individual partitions
OpenSUSE 12.1 Y YES NO YES NO YES YES Had errors while choosing encrypted setup
PC Linux OS 2012.02 XFCE Y YES* NO YES NO* YES YES Ideally, this would have worked and offered LVM encryption and manual single partition encryption, but I had errors with installing lvm for the setup.
Pinguy 11.04 N* ? ? ? ? ? ? Probably the same results as Ubuntu 11.04
Puppy Linux 5.2
RedHat 7.2 old N ? ? ? ? ? ?
Sabayon 7 N YES NO ? ? ? ?
Sabayon 8 N YES NO ? ? ? ?
Slackware 13.37 Y NO* NA NA NA NA NA It might be possible, but the interface and the slackware docs make no mention of this that I could find using google search of site.
TurboLinux 2008 client N ? ? ? ? ? ?
Ubuntu 4.10 warty N ? ? ? ? ? ?
Ubuntu 6.06 LTS Desktop N ? ? ? ? ? ?
Ubuntu 8.04 LTS Desktop Y NO NA NA NA NO NO
Ubuntu 9.04 Desktop Y NO NA NA NA NO NO
Ubuntu 9.10 Desktop Y YES NO NO YES NO NO
Ubuntu 10.04 LTS Y YES NO NO YES NO NO
Ubuntu 10.10 Desktop Y YES NO NO YES NO NO
Ubuntu 11.04 Desktop Y YES NO NO YES NO YES
Ubuntu 11.10 Desktop Y YES NO NO YES NO YES
Ubuntu 11.10 Alternate Y YES YES YES NO YES YES Alternate disk
Ubuntu 12.04 beta1 N ? ? ? ? ? ?
OS Version Tried Enc Available Encryption defaults to enabled Encryption means LVM Encryption means homedir only /tmp encrypted Swap encrypted Notes
FreeBSD 9 N ? ? ? ? ? ?
NetBSD 5.1.2 N ? ? ? ? ? ?
OpenBSD 5.0 N ? ? ? ? ? ?
PC-BSD 9.0 N ? ? ? ? ? ?